---
layout: docs
page_title: Vault Secrets Operator Helm chart configuration
description: >-
  Configuration for the Vault Secrets Operator Helm chart.
---

> [!IMPORTANT]  
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.

<!-- DO NOT EDIT.
Generated from chart/values.yaml in the vault-secrets-operator repo.
commit SHA=0bf284afea63a64e706717e2324a304be4d7f24b

To update run 'make gen-helm-docs' from the vault-secrets-operator repo.
-->

# Vault Secrets Operator Helm chart configuration

The chart is customizable using
[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).

<!-- codegen: start -->

## Top-Level Stanzas

Use these links to navigate to a particular top-level stanza.

- [`controller`](#h-controller)
- [`metricsService`](#h-metricsservice)
- [`defaultVaultConnection`](#h-defaultvaultconnection)
- [`defaultAuthMethod`](#h-defaultauthmethod)
- [`telemetry`](#h-telemetry)
- [`hooks`](#h-hooks)
- [`tests`](#h-tests)

## All Values

### controller ((#h-controller))

- `controller` ((#v-controller)) - Top level configuration for the vault secrets operator deployment.
  This consists of a controller and a kube rbac proxy container.

  - `replicas` ((#v-controller-replicas)) (`integer: 1`) - Set the number of replicas for the operator.

  - `strategy` ((#v-controller-strategy)) (`object: ""`) - Configure update strategy for multi-replica deployments.
    Kubernetes supports types Recreate, and RollingUpdate
    ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
    Example:
    strategy: {}
      rollingUpdate:
        maxSurge: 1
        maxUnavailable: 0
      type: RollingUpdate

  - `hostAliases` ((#v-controller-hostaliases)) (`array<map>`) - Host Aliases settings for vault-secrets-operator pod.
    The value is an array of PodSpec HostAlias maps.
    ref: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/
    Example:
    hostAliases:
      - ip: 192.168.1.100
        hostnames:
        - vault.example.com

  - `nodeSelector` ((#v-controller-nodeselector)) (`map`) - nodeSelector labels for vault-secrets-operator pod assignment.
    ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
    Example:
    nodeSelector:
      beta.kubernetes.io/arch: amd64

  - `tolerations` ((#v-controller-tolerations)) (`array<map>`) - Toleration Settings for vault-secrets-operator pod.
    The value is an array of PodSpec Toleration maps.
    ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
    Example:
    tolerations:
     - key: "key1"
       operator: "Equal"
       value: "value1"
       effect: "NoSchedule"

  - `affinity` ((#v-controller-affinity)) - Affinity settings for vault-secrets-operator pod.
    The value is a map of PodSpec Affinity maps.
    ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
    Example:
    affinity:
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
          - matchExpressions:
            - key: topology.kubernetes.io/zone
              operator: In
              values:
              - antarctica-east1
              - antarctica-west1

  - `rbac` ((#v-controller-rbac))

    - `clusterRoleAggregation` ((#v-controller-rbac-clusterroleaggregation)) - clusterRoleAggregation defines the roles included in the aggregated ClusterRole.

      - `viewerRoles` ((#v-controller-rbac-clusterroleaggregation-viewerroles)) (`array<string>: []`) - viewerRoles is a list of roles that will be aggregated into the viewer ClusterRole.
        The role name must be that of any VSO resource type. E.g. "VaultAuth", "HCPAuth".
        All values are case-insensitive.
        Specifying '*' as the first element will include all roles in the aggregation.

        The ClusterRole name takes the form of `<chart-fullname>`-aggregate-role-viewer.

        Example usages:
        all roles:
        - '*'
        individually specified roles:
        - "VaultAuth"
        - "HCPAuth"

      - `editorRoles` ((#v-controller-rbac-clusterroleaggregation-editorroles)) (`array<string>: []`) - editorRoles is a list of roles that will be aggregated into the editor ClusterRole.
        The role name must be that of any VSO resource type. E.g. "VaultAuth", "HCPAuth".
        All values are case-insensitive.
        Specifying '*' as the first element will include all roles in the aggregation.

        The ClusterRole name takes the form of `<chart-fullname>`-aggregate-role-editor.

        Example usages:
        all roles:
        - '*'
        individually specified roles:
        - "VaultAuth"
        - "HCPAuth"

      - `userFacingRoles` ((#v-controller-rbac-clusterroleaggregation-userfacingroles)) (`object: ""`) - userFacingRoles is a map of roles that will be aggregated into the viewer and editor ClusterRoles.
        See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles for more information.

        - `view` ((#v-controller-rbac-clusterroleaggregation-userfacingroles-view)) (`boolean: false`) - view controls whether the aggregated viewer ClusterRole will be made available to the user-facing
          'view' ClusterRole. Requires the viewerRoles to be set.

        - `edit` ((#v-controller-rbac-clusterroleaggregation-userfacingroles-edit)) (`boolean: false`) - view controls whether the aggregated editor ClusterRole will be made available to the user-facing
          'edit' ClusterRole. Requires the editorRoles to be set.

  - `kubeRbacProxy` ((#v-controller-kuberbacproxy)) - Settings related to the kubeRbacProxy container. This container is an HTTP proxy for the
    controller manager which performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.

    - `image` ((#v-controller-kuberbacproxy-image)) - Image sets the repo and tag of the kube-rbac-proxy image to use for the controller.

      - `pullPolicy` ((#v-controller-kuberbacproxy-image-pullpolicy)) (`string: IfNotPresent`)

      - `repository` ((#v-controller-kuberbacproxy-image-repository)) (`string: quay.io/brancz/kube-rbac-proxy`)

      - `tag` ((#v-controller-kuberbacproxy-image-tag)) (`string: v0.18.1`)

    - `resources` ((#v-controller-kuberbacproxy-resources)) (`map`) - Configures the default resources for the kube rbac proxy container.
      For more information on configuring resources, see the K8s documentation:
      https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

      - `limits` ((#v-controller-kuberbacproxy-resources-limits))

        - `cpu` ((#v-controller-kuberbacproxy-resources-limits-cpu)) (`string: 500m`)

        - `memory` ((#v-controller-kuberbacproxy-resources-limits-memory)) (`string: 128Mi`)

      - `requests` ((#v-controller-kuberbacproxy-resources-requests))

        - `cpu` ((#v-controller-kuberbacproxy-resources-requests-cpu)) (`string: 5m`)

        - `memory` ((#v-controller-kuberbacproxy-resources-requests-memory)) (`string: 64Mi`)

  - `imagePullSecrets` ((#v-controller-imagepullsecrets)) (`array<map>`) - Image pull secret to use for private container registry authentication which will be applied to the controllers
    service account. Alternatively, the value may be specified as an array of strings.
    Example:
    ```yaml
    imagePullSecrets:
      - name: pull-secret-name-1
      - name: pull-secret-name-2
    ```
    Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry.

  - `extraLabels` ((#v-controller-extralabels)) - Extra labels to attach to the deployment. This should be formatted as a YAML object (map)

  - `annotations` ((#v-controller-annotations)) - This value defines additional annotations for the deployment. This should be formatted as a YAML object (map)

  - `manager` ((#v-controller-manager)) - Settings related to the vault-secrets-operator container.

    - `image` ((#v-controller-manager-image)) - Image sets the repo and tag of the vault-secrets-operator image to use for the controller.

      - `pullPolicy` ((#v-controller-manager-image-pullpolicy)) (`string: IfNotPresent`)

      - `repository` ((#v-controller-manager-image-repository)) (`string: hashicorp/vault-secrets-operator`)

      - `tag` ((#v-controller-manager-image-tag)) (`string: 0.10.0`)

    - `logging` ((#v-controller-manager-logging)) - logging

      - `level` ((#v-controller-manager-logging-level)) (`string: info`) - Sets the log level for the operator.
        Builtin levels are: info, error, debug, debug-extended, trace
        Default: info

      - `timeEncoding` ((#v-controller-manager-logging-timeencoding)) (`string: rfc3339`) - Sets the time encoding for the operator.
        Options are: epoch, millis, nano, iso8601, rfc3339, rfc3339nano
        Default: rfc3339

      - `stacktraceLevel` ((#v-controller-manager-logging-stacktracelevel)) (`string: panic`) - Sets the stacktrace level for the operator.
        Options are: info, error, panic
        Default: panic

    - `globalTransformationOptions` ((#v-controller-manager-globaltransformationoptions)) - Global secret transformation options. In addition to the boolean options
      below, these options may be set via the
      `VSO_GLOBAL_TRANSFORMATION_OPTIONS` environment variable as a
      comma-separated list. Valid values are: `exclude-raw`

      - `excludeRaw` ((#v-controller-manager-globaltransformationoptions-excluderaw)) (`boolean: false`) - excludeRaw directs the operator to prevent _raw secret data being stored
        in the destination K8s Secret.

    - `globalVaultAuthOptions` ((#v-controller-manager-globalvaultauthoptions)) - Global Vault auth options. In addition to the boolean options
      below, these options may be set via the
      `VSO_GLOBAL_VAULT_OPTION_OPTIONS` environment variable as a
      comma-separated list. Valid values are: `allow-default-globals`

      - `allowDefaultGlobals` ((#v-controller-manager-globalvaultauthoptions-allowdefaultglobals)) (`boolean: true`) - allowDefaultGlobals directs the operator search for a "default"
        VaultAuthGlobal if none is specified on the referring VaultAuth CR.
        Default: true

    - `backoffOnSecretSourceError` ((#v-controller-manager-backoffonsecretsourceerror)) (`object: ""`) - Backoff settings for the controller manager. These settings control the backoff behavior
      when the controller encounters an error while fetching secrets from the SecretSource.
      For example given the following settings:
        initialInterval: 5s
        maxInterval: 60s
        randomizationFactor: 0.5
        multiplier: 1.5

      The backoff retry sequence might be something like:
       5.5s, 7.5s, 11.25s, 16.87s, 25.3125s, 37.96s, 56.95, 60.95s...

      - `initialInterval` ((#v-controller-manager-backoffonsecretsourceerror-initialinterval)) (`duration: 5s`) - Initial interval between retries.

      - `maxInterval` ((#v-controller-manager-backoffonsecretsourceerror-maxinterval)) (`duration: 60s`) - Maximum interval between retries.

      - `maxElapsedTime` ((#v-controller-manager-backoffonsecretsourceerror-maxelapsedtime)) (`duration: 0s`) - Maximum elapsed time without a successful sync from the secret's source.
        It's important to note that setting this option to anything other than
        its default will result in the secret sync no longer being retried after
        reaching the max elapsed time.

      - `randomizationFactor` ((#v-controller-manager-backoffonsecretsourceerror-randomizationfactor)) (`float: 0.5`) - Randomization factor randomizes the backoff interval between retries.
        This helps to spread out the retries to avoid a thundering herd.
        If the value is 0, then the backoff interval will not be randomized.
        It is recommended to set this to a value that is greater than 0.

      - `multiplier` ((#v-controller-manager-backoffonsecretsourceerror-multiplier)) (`float: 1.5`) - Sets the multiplier that is used to increase the backoff interval between retries.
        This value should always be set to a value greater than 0.
        The value must be greater than zero.

    - `clientCache` ((#v-controller-manager-clientcache)) - Configures the client cache which is used by the controller to cache (and potentially persist) vault tokens that
      are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens
      throughout their TTLs as well as the ability to renew.
      Persistence is only useful in the context of Dynamic Secrets, so "none" is an okay default.

      - `persistenceModel` ((#v-controller-manager-clientcache-persistencemodel)) (`string: ""`) - Defines the `-client-cache-persistence-model` which caches+persists vault tokens.
        May also be set via the `VSO_CLIENT_CACHE_PERSISTENCE_MODEL` environment variable.
        Valid values are:
        "none" - in-memory client cache is used, no tokens are persisted.
        "direct-unencrypted" - in-memory client cache is persisted, unencrypted. This is NOT recommended for any production workload.
        "direct-encrypted" - in-memory client cache is persisted encrypted using the Vault Transit engine.
        Note: It is strongly encouraged to not use the setting of "direct-unencrypted" in
        production due to the potential of vault tokens being leaked as they would then be stored
        in clear text.

        default: "none"

      - `cacheSize` ((#v-controller-manager-clientcache-cachesize)) (`integer: ""`) - Defines the size of the in-memory LRU cache *in entries*, that is used by the client cache controller.
        May also be set via the `VSO_CLIENT_CACHE_SIZE` environment variable.
        Larger numbers will increase memory usage by the controller, lower numbers will cause more frequent evictions
        of the client cache which can result in additional Vault client counts.

        default: 10000

      - `numLocks` ((#v-controller-manager-clientcache-numlocks)) (`integer: ""`) - Defines the number of locks to use for the Vault client cache controller.
        May also be set via the `VSO_CLIENT_CACHE_NUM_LOCKS` environment variable.

        Setting this value less than 1 will cause the manager to set the number of locks equal
        to the number of logical CPUs of the run host.

        See the VSO help output for more information.

        default: 100

      - `storageEncryption` ((#v-controller-manager-clientcache-storageencryption)) - StorageEncryption provides the necessary configuration to encrypt the client storage
        cache within Kubernetes objects using (required) Vault Transit Engine.
        This should only be configured when client cache persistence with encryption is enabled and
        will deploy an additional VaultAuthMethod to be used by the Vault Transit Engine.
        E.g. when `controller.manager.clientCache.persistenceModel=direct-encrypted`
        Supported Vault authentication methods for the Transit Auth method are: jwt, appRole,
        aws, and kubernetes.
        Typically, there should only ever be one VaultAuth configured with
        StorageEncryption in the Cluster.

        - `enabled` ((#v-controller-manager-clientcache-storageencryption-enabled)) (`boolean: false`) - toggles the deployment of the Transit VaultAuthMethod CR.

        - `vaultConnectionRef` ((#v-controller-manager-clientcache-storageencryption-vaultconnectionref)) (`string: default`) - Vault Connection Ref to be used by the Transit VaultAuthMethod.
          Default setting will use the default VaultConnectionRef, which must also be configured.

        - `keyName` ((#v-controller-manager-clientcache-storageencryption-keyname)) (`string: ""`) - KeyName to use for encrypt/decrypt operations via Vault Transit.

        - `transitMount` ((#v-controller-manager-clientcache-storageencryption-transitmount)) (`string: ""`) - Mount path for the Transit VaultAuthMethod.

        - `namespace` ((#v-controller-manager-clientcache-storageencryption-namespace)) (`string: ""`) - Vault namespace for the Transit VaultAuthMethod CR.

        - `method` ((#v-controller-manager-clientcache-storageencryption-method)) (`string: kubernetes`) - Vault Auth method to be used with the Transit VaultAuthMethod CR.

        - `mount` ((#v-controller-manager-clientcache-storageencryption-mount)) (`string: kubernetes`) - Mount path for the Transit VaultAuthMethod.

        - `kubernetes` ((#v-controller-manager-clientcache-storageencryption-kubernetes)) - Vault Kubernetes auth method specific configuration

          - `role` ((#v-controller-manager-clientcache-storageencryption-kubernetes-role)) (`string: ""`) - Vault Auth Role to use
            This is a required field and must be setup in Vault prior to deploying the helm chart
            if `defaultAuthMethod.enabled=true`

          - `serviceAccount` ((#v-controller-manager-clientcache-storageencryption-kubernetes-serviceaccount)) (`string: ""`) - Kubernetes ServiceAccount associated with the Transit Vault Auth Role
            Defaults to using the Operator's service-account.

          - `tokenAudiences` ((#v-controller-manager-clientcache-storageencryption-kubernetes-tokenaudiences)) (`array<string>: []`) - Token Audience should match the audience of the vault kubernetes auth role.

        - `jwt` ((#v-controller-manager-clientcache-storageencryption-jwt)) - Vault JWT auth method specific configuration

          - `role` ((#v-controller-manager-clientcache-storageencryption-jwt-role)) (`string: ""`) - Vault Auth Role to use
            This is a required field and must be setup in Vault prior to deploying the helm chart
            if using JWT for the Transit VaultAuthMethod.

          - `secretRef` ((#v-controller-manager-clientcache-storageencryption-jwt-secretref)) (`string: ""`) - One of the following is required prior to deploying the helm chart
            - K8s secret that contains the JWT
            - K8s service account if a service account JWT is used as a Vault JWT auth token and
            needs generating by VSO.

            Name of Kubernetes Secret that has the Vault JWT auth token.
            The Kubernetes Secret must contain a key named `jwt` which references the JWT token, and
            must exist in the namespace of any consuming VaultSecret CR. This is a required field if
            a JWT token is provided.

          - `serviceAccount` ((#v-controller-manager-clientcache-storageencryption-jwt-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount to generate a service account JWT

          - `tokenAudiences` ((#v-controller-manager-clientcache-storageencryption-jwt-tokenaudiences)) (`array<string>: []`) - Token Audience should match the bound_audiences or the `aud` list in bound_claims if
            applicable of the Vault JWT auth role.

        - `appRole` ((#v-controller-manager-clientcache-storageencryption-approle)) - AppRole auth method specific configuration

          - `roleId` ((#v-controller-manager-clientcache-storageencryption-approle-roleid)) (`string: ""`) - AppRole Role's RoleID to use for authenticating to Vault.
            This is a required field when using appRole and must be setup in Vault prior to deploying
            the helm chart.

          - `secretRef` ((#v-controller-manager-clientcache-storageencryption-approle-secretref)) (`string: ""`) - Name of Kubernetes Secret that has the AppRole Role's SecretID used to authenticate with
            Vault. The Kubernetes Secret must contain a key named `id` which references the AppRole
            Role's SecretID, and must exist in the namespace of any consuming VaultSecret CR.
            This is a required field when using appRole and must be setup in Vault prior to
            deploying the helm chart.

        - `aws` ((#v-controller-manager-clientcache-storageencryption-aws)) - AWS auth method specific configuration

          - `role` ((#v-controller-manager-clientcache-storageencryption-aws-role)) (`string: ""`) - Vault Auth Role to use
            This is a required field and must be setup in Vault prior to deploying the helm chart
            if using the AWS for the Transit auth method.

          - `region` ((#v-controller-manager-clientcache-storageencryption-aws-region)) (`string: ""`) - AWS region to use for signing the authentication request
            Optional, but most commonly will be the EKS cluster region.

          - `headerValue` ((#v-controller-manager-clientcache-storageencryption-aws-headervalue)) (`string: ""`) - Vault header value to include in the STS signing request

          - `sessionName` ((#v-controller-manager-clientcache-storageencryption-aws-sessionname)) (`string: ""`) - The role session name to use when creating a WebIdentity provider

          - `stsEndpoint` ((#v-controller-manager-clientcache-storageencryption-aws-stsendpoint)) (`string: ""`) - The STS endpoint to use; if not set will use the default

          - `iamEndpoint` ((#v-controller-manager-clientcache-storageencryption-aws-iamendpoint)) (`string: ""`) - The IAM endpoint to use; if not set will use the default

          - `secretRef` ((#v-controller-manager-clientcache-storageencryption-aws-secretref)) (`string: ""`) - The name of a Kubernetes Secret which holds credentials for AWS. Supported keys
            include `access_key_id`, `secret_access_key`, `session_token`

          - `irsaServiceAccount` ((#v-controller-manager-clientcache-storageencryption-aws-irsaserviceaccount)) (`string: ""`) - Name of a Kubernetes service account that is configured with IAM Roles
            for Service Accounts (IRSA). Should be annotated with "eks.amazonaws.com/role-arn".

        - `gcp` ((#v-controller-manager-clientcache-storageencryption-gcp))

          - `role` ((#v-controller-manager-clientcache-storageencryption-gcp-role)) (`string: ""`) - Vault Auth Role to use
            This is a required field and must be setup in Vault prior to deploying the helm chart
            if using GCP for the Transit auth method.

          - `workloadIdentityServiceAccount` ((#v-controller-manager-clientcache-storageencryption-gcp-workloadidentityserviceaccount)) (`string: ""`) - Name of a Kubernetes service account that is configured for workload
            identity in GKE.

          - `region` ((#v-controller-manager-clientcache-storageencryption-gcp-region)) (`string: ""`) - GCP Region of the GKE cluster's identity provider. Defaults to the
            region returned from the operator pod's local metadata server if
            unspecified.

          - `clusterName` ((#v-controller-manager-clientcache-storageencryption-gcp-clustername)) (`string: ""`) - GKE cluster name. Defaults to the cluster-name returned from the
            operator pod's local metadata server if unspecified.

          - `projectID` ((#v-controller-manager-clientcache-storageencryption-gcp-projectid)) (`string: ""`) - GCP project id. Defaults to the project-id returned from the
            operator pod's local metadata server if unspecified.

        - `params` ((#v-controller-manager-clientcache-storageencryption-params)) (`map`) - Params to use when authenticating to Vault using this auth method.
          params:
            param-something1: "foo"

        - `headers` ((#v-controller-manager-clientcache-storageencryption-headers)) (` map: ""`) - Headers to be included in all Vault requests.
          headers:
            X-vault-something1: "foo"

    - `maxConcurrentReconciles` ((#v-controller-manager-maxconcurrentreconciles)) (`integer: ""`) - Defines the maximum number of concurrent reconciles for each controller.
      May also be set via the `VSO_MAX_CONCURRENT_RECONCILES` environment variable.

      default: 100

    - `kubeClient` ((#v-controller-manager-kubeclient))

      - `qps` ((#v-controller-manager-kubeclient-qps)) (`float: ""`) - QPS indicates the maximum QPS to the kubernetes API.
        When the value is 0, the kubernetes client's default is used.
        May also set via the `VSO_KUBE_CLIENT_QPS` environment variable.
        Default: 0

      - `burst` ((#v-controller-manager-kubeclient-burst)) (`uint: ""`) - Maximum burst for throttling requests to the kubernetes API.
        When the value is 0, the kubernetes client's default is used.
        May also set via the `VSO_KUBE_CLIENT_BURST` environment variable.
        Default: 0

    - `extraEnv` ((#v-controller-manager-extraenv)) (`array<map>`) - Defines additional environment variables to be added to the
      vault-secrets-operator manager container.
      Example:

      ```yaml
      extraEnv:
        - name: HTTP_PROXY
          value: http://proxy.example.com
        - name: VSO_OUTPUT_FORMAT
          value: json
        - name: VSO_CLIENT_CACHE_SIZE
          value: "20000"
        - name: VSO_CLIENT_CACHE_PERSISTENCE_MODEL
          value: "direct-encrypted"
        - name: VSO_MAX_CONCURRENT_RECONCILES
          value: "30"
      ```

    - `extraArgs` ((#v-controller-manager-extraargs)) (`array: []`) - Defines additional commandline arguments to be passed to the
      vault-secrets-operator manager container.

    - `resources` ((#v-controller-manager-resources)) (`map`) - Configures the default resources for the vault-secrets-operator container.
      For more information on configuring resources, see the K8s documentation:
      https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

      - `limits` ((#v-controller-manager-resources-limits))

        - `cpu` ((#v-controller-manager-resources-limits-cpu)) (`string: 500m`)

        - `memory` ((#v-controller-manager-resources-limits-memory)) (`string: 128Mi`)

      - `requests` ((#v-controller-manager-resources-requests))

        - `cpu` ((#v-controller-manager-resources-requests-cpu)) (`string: 10m`)

        - `memory` ((#v-controller-manager-resources-requests-memory)) (`string: 64Mi`)

  - `podSecurityContext` ((#v-controller-podsecuritycontext)) - Configures the Pod Security Context
    https://kubernetes.io/docs/tasks/configure-pod-container/security-context

    - `runAsNonRoot` ((#v-controller-podsecuritycontext-runasnonroot)) (`boolean: true`)

  - `securityContext` ((#v-controller-securitycontext)) - Configures the Container Security Context
    https://kubernetes.io/docs/tasks/configure-pod-container/security-context

    - `allowPrivilegeEscalation` ((#v-controller-securitycontext-allowprivilegeescalation)) (`boolean: false`)

  - `controllerConfigMapYaml` ((#v-controller-controllerconfigmapyaml)) (`map`) - Sets the configuration settings used by the controller. Any custom changes will be reflected in the
    data field of the configmap.
    For more information on configuring resources, see the K8s documentation:
    https://kubernetes.io/docs/concepts/configuration/configmap/

    - `health` ((#v-controller-controllerconfigmapyaml-health))

      - `healthProbeBindAddress` ((#v-controller-controllerconfigmapyaml-health-healthprobebindaddress)) (`string: :8081`)

    - `leaderElection` ((#v-controller-controllerconfigmapyaml-leaderelection))

      - `leaderElect` ((#v-controller-controllerconfigmapyaml-leaderelection-leaderelect)) (`boolean: true`)

      - `resourceName` ((#v-controller-controllerconfigmapyaml-leaderelection-resourcename)) (`string: b0d477c0.hashicorp.com`)

    - `metrics` ((#v-controller-controllerconfigmapyaml-metrics))

      - `bindAddress` ((#v-controller-controllerconfigmapyaml-metrics-bindaddress)) (`string: 127.0.0.1:8080`)

    - `webhook` ((#v-controller-controllerconfigmapyaml-webhook))

      - `port` ((#v-controller-controllerconfigmapyaml-webhook-port)) (`integer: 9443`)

  - `kubernetesClusterDomain` ((#v-controller-kubernetesclusterdomain)) (`string: cluster.local`) - Configures the environment variable KUBERNETES_CLUSTER_DOMAIN used by KubeDNS.

  - `terminationGracePeriodSeconds` ((#v-controller-terminationgraceperiodseconds)) (`integer: 120`) - Duration in seconds the pod needs to terminate gracefully.
    See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/

  - `preDeleteHookTimeoutSeconds` ((#v-controller-predeletehooktimeoutseconds)) (`integer: 120`) - Timeout in seconds for the pre-delete hook

### metricsService ((#h-metricsservice))

- `metricsService` ((#v-metricsservice)) (`map`) - Configure the metrics service ports used by the metrics service.
  Set the configuration fo the metricsService port.

  - `ports` ((#v-metricsservice-ports)) (`map`) - Set the port settings for the metrics service.
    For more information on configuring resources, see the K8s documentation:
    https://kubernetes.io/docs/concepts/services-networking/service/

  - `name` ((#v-metricsservice-ports-name)) (`string: https`)

  - `port` ((#v-metricsservice-ports-port)) (`integer: 8443`)

  - `protocol` ((#v-metricsservice-ports-protocol)) (`string: TCP`)

  - `targetPort` ((#v-metricsservice-ports-targetport)) (`string: https`)

  - `type` ((#v-metricsservice-type)) (`string: ClusterIP`)

### defaultVaultConnection ((#h-defaultvaultconnection))

- `defaultVaultConnection` ((#v-defaultvaultconnection)) - Configures the default VaultConnection CR which will be used by resources
  if they do not specify a VaultConnection reference. The name is 'default' and will
  always be installed in the same namespace as the operator.
  NOTE:
  * It is strongly recommended to deploy the vault secrets operator in a secure Vault environment
    which includes a configuration utilizing TLS and installing Vault into its own restricted namespace.

  - `enabled` ((#v-defaultvaultconnection-enabled)) (`boolean: false`) - toggles the deployment of the VaultAuthMethod CR

  - `address` ((#v-defaultvaultconnection-address)) (`string: ""`) - Address of the Vault Server
    Example: http://vault.default.svc.cluster.local:8200

  - `caCertSecret` ((#v-defaultvaultconnection-cacertsecret)) (`string: ""`) - CACertSecret is the name of a Kubernetes secret containing the trusted PEM encoded CA certificate chain as `ca.crt`.
    Note: This secret must exist prior to deploying the CR.

  - `tlsServerName` ((#v-defaultvaultconnection-tlsservername)) (`string: ""`) - TLSServerName to use as the SNI host for TLS connections.

  - `skipTLSVerify` ((#v-defaultvaultconnection-skiptlsverify)) (`boolean: false`) - SkipTLSVerify for TLS connections.

  - `headers` ((#v-defaultvaultconnection-headers)) (`map`) - Headers to be included in all Vault requests.
    headers:
      X-vault-something: "foo"

### defaultAuthMethod ((#h-defaultauthmethod))

- `defaultAuthMethod` ((#v-defaultauthmethod)) - Configures and deploys the default VaultAuthMethod CR which will be used by resources
  if they do not specify a VaultAuthMethod reference. The name is 'default' and will
  always be installed in the same namespace as the operator.
  NOTE:
  * It is strongly recommended to deploy the vault secrets operator in a secure Vault environment
    which includes a configuration utilizing TLS and installing Vault into its own restricted namespace.

  - `enabled` ((#v-defaultauthmethod-enabled)) (`boolean: false`) - toggles the deployment of the VaultAuthMethod CR

  - `namespace` ((#v-defaultauthmethod-namespace)) (`string: ""`) - Vault namespace for the VaultAuthMethod CR

  - `allowedNamespaces` ((#v-defaultauthmethod-allowednamespaces)) (`array<string>: []`) - Kubernetes namespace glob patterns which are allow-listed for use with the default AuthMethod.

  - `method` ((#v-defaultauthmethod-method)) (`string: kubernetes`) - Vault Auth method to be used with the VaultAuthMethod CR

  - `mount` ((#v-defaultauthmethod-mount)) (`string: kubernetes`) - Mount path for the Vault Auth Method.

  - `kubernetes` ((#v-defaultauthmethod-kubernetes)) - Vault Kubernetes auth method specific configuration

    - `role` ((#v-defaultauthmethod-kubernetes-role)) (`string: ""`) - Vault Auth Role to use
      This is a required field and must be setup in Vault prior to deploying the helm chart
      if `defaultAuthMethod.enabled=true`

    - `serviceAccount` ((#v-defaultauthmethod-kubernetes-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount associated with the default Vault Auth Role

    - `tokenAudiences` ((#v-defaultauthmethod-kubernetes-tokenaudiences)) (`array<string>: []`) - Token Audience should match the audience of the vault kubernetes auth role.

  - `jwt` ((#v-defaultauthmethod-jwt)) - Vault JWT auth method specific configuration

    - `role` ((#v-defaultauthmethod-jwt-role)) (`string: ""`) - Vault Auth Role to use
      This is a required field and must be setup in Vault prior to deploying the helm chart
      if using the JWT for the default auth method.

    - `secretRef` ((#v-defaultauthmethod-jwt-secretref)) (`string: ""`) - One of the following is required prior to deploying the helm chart
      - K8s secret that contains the JWT
      - K8s service account if a service account JWT is used as a Vault JWT auth token and needs generating by VSO

      Name of Kubernetes Secret that has the Vault JWT auth token.
      The Kubernetes Secret must contain a key named `jwt` which references the JWT token, and must exist in the namespace
      of any consuming VaultSecret CR. This is a required field if a JWT token is provided.

    - `serviceAccount` ((#v-defaultauthmethod-jwt-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount to generate a service account JWT

    - `tokenAudiences` ((#v-defaultauthmethod-jwt-tokenaudiences)) (`array<string>: []`) - Token Audience should match the bound_audiences or the `aud` list in bound_claims if applicable
      of the Vault JWT auth role.

  - `appRole` ((#v-defaultauthmethod-approle)) - AppRole auth method specific configuration

    - `roleId` ((#v-defaultauthmethod-approle-roleid)) (`string: ""`) - AppRole Role's RoleID to use for authenticating to Vault.
      This is a required field when using appRole and must be setup in Vault prior to deploying the
      helm chart.

    - `secretRef` ((#v-defaultauthmethod-approle-secretref)) (`string: ""`) - Name of Kubernetes Secret that has the AppRole Role's SecretID used to authenticate with Vault.
      The Kubernetes Secret must contain a key named `id` which references the AppRole Role's
      SecretID, and must exist in the namespace of any consuming VaultSecret CR.
      This is a required field when using appRole and must be setup in Vault prior to deploying the
      helm chart.

  - `aws` ((#v-defaultauthmethod-aws)) - AWS auth method specific configuration

    - `role` ((#v-defaultauthmethod-aws-role)) (`string: ""`) - Vault Auth Role to use
      This is a required field and must be setup in Vault prior to deploying the helm chart
      if using the AWS for the default auth method.

    - `region` ((#v-defaultauthmethod-aws-region)) (`string: ""`) - AWS region to use for signing the authentication request
      Optional, but most commonly will be the region where the EKS cluster is running

    - `headerValue` ((#v-defaultauthmethod-aws-headervalue)) (`string: ""`) - Vault header value to include in the STS signing request

    - `sessionName` ((#v-defaultauthmethod-aws-sessionname)) (`string: ""`) - The role session name to use when creating a WebIdentity provider

    - `stsEndpoint` ((#v-defaultauthmethod-aws-stsendpoint)) (`string: ""`) - The STS endpoint to use; if not set will use the default

    - `iamEndpoint` ((#v-defaultauthmethod-aws-iamendpoint)) (`string: ""`) - The IAM endpoint to use; if not set will use the default

    - `secretRef` ((#v-defaultauthmethod-aws-secretref)) (`string: ""`) - The name of a Kubernetes Secret which holds credentials for AWS. Supported keys include
      `access_key_id`, `secret_access_key`, `session_token`

    - `irsaServiceAccount` ((#v-defaultauthmethod-aws-irsaserviceaccount)) (`string: ""`) - Name of a Kubernetes service account that is configured with IAM Roles
      for Service Accounts (IRSA). Should be annotated with "eks.amazonaws.com/role-arn".

  - `gcp` ((#v-defaultauthmethod-gcp))

    - `role` ((#v-defaultauthmethod-gcp-role)) (`string: ""`) - Vault Auth Role to use
      This is a required field and must be setup in Vault prior to deploying the helm chart
      if using GCP for the Transit auth method.

    - `workloadIdentityServiceAccount` ((#v-defaultauthmethod-gcp-workloadidentityserviceaccount)) (`string: ""`) - Name of a Kubernetes service account that is configured for workload
      identity in GKE.

    - `region` ((#v-defaultauthmethod-gcp-region)) (`string: ""`) - GCP Region of the GKE cluster's identity provider. Defaults to the
      region returned from the operator pod's local metadata server if
      unspecified.

    - `clusterName` ((#v-defaultauthmethod-gcp-clustername)) (`string: ""`) - GKE cluster name. Defaults to the cluster-name returned from the
      operator pod's local metadata server if unspecified.

    - `projectID` ((#v-defaultauthmethod-gcp-projectid)) (`string: ""`) - GCP project id. Defaults to the project-id returned from the
      operator pod's local metadata server if unspecified.

  - `params` ((#v-defaultauthmethod-params)) (`map`) - Params to use when authenticating to Vault
    params:
      param-something1: "foo"

  - `headers` ((#v-defaultauthmethod-headers)) (`map`) - Headers to be included in all Vault requests.
    headers:
      X-vault-something1: "foo"

  - `vaultAuthGlobalRef` ((#v-defaultauthmethod-vaultauthglobalref)) - VaultAuthGlobalRef

    - `enabled` ((#v-defaultauthmethod-vaultauthglobalref-enabled)) (`boolean: false`) -  toggles the inclusion of the VaultAuthGlobal configuration in the
      default VaultAuth CR.

    - `name` ((#v-defaultauthmethod-vaultauthglobalref-name)) (`string: ""`) - Name of the VaultAuthGlobal CR to reference.

    - `namespace` ((#v-defaultauthmethod-vaultauthglobalref-namespace)) (`string: ""`) - Namespace of the VaultAuthGlobal CR to reference.

    - `allowDefault` ((#v-defaultauthmethod-vaultauthglobalref-allowdefault)) (`boolean: ""`) - allow default globals

    - `mergeStrategy` ((#v-defaultauthmethod-vaultauthglobalref-mergestrategy))

      - `headers` ((#v-defaultauthmethod-vaultauthglobalref-mergestrategy-headers)) (`string: none`) - merge strategy for headers
        Valid values are: "replace", "merge", "none"
        Default: "replace"

      - `params` ((#v-defaultauthmethod-vaultauthglobalref-mergestrategy-params)) (`string: none`) - merge strategy for params
        Valid values are: "replace", "merge", "none"
        Default: "replace"

### telemetry ((#h-telemetry))

- `telemetry` ((#v-telemetry)) - Configures a Prometheus ServiceMonitor

  - `serviceMonitor` ((#v-telemetry-servicemonitor))

    - `enabled` ((#v-telemetry-servicemonitor-enabled)) (`boolean: false`) - The Prometheus operator *must* be installed before enabling this feature,
      if not the chart will fail to install due to missing CustomResourceDefinitions
      provided by the operator.

      Instructions on how to install the Helm chart can be found here:
       https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
      More information can be found here:
       https://github.com/prometheus-operator/prometheus-operator
       https://github.com/prometheus-operator/kube-prometheus

      Enable deployment of the Vault Secrets Operator ServiceMonitor CustomResource.

    - `selectors` ((#v-telemetry-servicemonitor-selectors)) (`string: ""`) - Selector labels to add to the ServiceMonitor.
      When empty, defaults to:
       release: prometheus

    - `scheme` ((#v-telemetry-servicemonitor-scheme)) (`string: https`) - Scheme of the service Prometheus scrapes metrics from. This must match the scheme of the metrics service of VSO

    - `port` ((#v-telemetry-servicemonitor-port)) (`string: https`) - Port at which Prometheus scrapes metrics. This must match the port of the metrics service of VSO

    - `path` ((#v-telemetry-servicemonitor-path)) (`string: /metrics`) - Path at which Prometheus scrapes metrics

    - `bearerTokenFile` ((#v-telemetry-servicemonitor-bearertokenfile)) (`string: /var/run/secrets/kubernetes.io/serviceaccount/token`) - File Prometheus reads bearer token from for scraping metrics

    - `interval` ((#v-telemetry-servicemonitor-interval)) (`string: 30s`) - Interval at which Prometheus scrapes metrics

    - `scrapeTimeout` ((#v-telemetry-servicemonitor-scrapetimeout)) (`string: 10s`) - Timeout for Prometheus scrapes

### hooks ((#h-hooks))

- `hooks` ((#v-hooks)) - Configure the behaviour of Helm hooks.

  - `resources` ((#v-hooks-resources)) - Resources common to all hooks.

    - `limits` ((#v-hooks-resources-limits))

      - `cpu` ((#v-hooks-resources-limits-cpu)) (`string: 500m`)

      - `memory` ((#v-hooks-resources-limits-memory)) (`string: 128Mi`)

    - `requests` ((#v-hooks-resources-requests))

      - `cpu` ((#v-hooks-resources-requests-cpu)) (`string: 10m`)

      - `memory` ((#v-hooks-resources-requests-memory)) (`string: 64Mi`)

  - `upgradeCRDs` ((#v-hooks-upgradecrds)) - Configure the Helm pre-upgrade hook that handles custom resource definition (CRD) upgrades.

    - `enabled` ((#v-hooks-upgradecrds-enabled)) (`boolean: true`) - Set to true to automatically upgrade the CRDs.
      Disabling this will require manual intervention to upgrade the CRDs, so it is recommended to
      always leave it enabled.

    - `backoffLimit` ((#v-hooks-upgradecrds-backofflimit)) (`integer: 5`) - Limit the number of retries for the CRD upgrade.

    - `executionTimeout` ((#v-hooks-upgradecrds-executiontimeout)) (`string: 30s`) - Set the timeout for the CRD upgrade. The operation should typically take less than 5s
      to complete.

### tests ((#h-tests))

- `tests` ((#v-tests)) - # Used by unit tests, and will not be rendered except when using `helm template`, this can be safely ignored.

  - `enabled` ((#v-tests-enabled)) (`boolean: true`)

  <!-- codegen: end -->

## Helm chart examples

The below `config.yaml` results in a single replica installation of the Vault Secrets Operator
with a default vault connection and auth method custom resource deployed.
It expects a local Vault installation within the kubernetes cluster
accessible via `http://vault.default.svc.cluster.local:8200` with TLS disabled,
and a [Vault Auth Method](/vault/docs/auth/kubernetes) to be setup against the `default` ServiceAccount.


```yaml
# config.yaml

defaultVaultConnection:
  enabled: true
defaultAuthMethod:
  enabled: true

```

## Customizing the helm chart

If you need to extend the Helm chart with additional options, we recommend using a third-party tool,
such as [kustomize](https://github.com/kubernetes-sigs/kustomize) using the project repo `config/` path
in the [vault-secrets-operator](https://github.com/hashicorp/vault-secrets-operator) project.
